FairQ ALTQ for PF - Patch #2
Max Laier
max at love2party.net
Mon Apr 7 12:40:17 PDT 2008
On Monday 07 April 2008 20:42:08 Matthew Dillon wrote:
> :I concur. Keep state should be explicit. Furthermore, I don't expect
> :keep state not to work across reboots. That's why I then write keep
> :state flags S/SA. Something clearly need to be untangled here. Keep
> :state should keep state as good as possible, but not reject
> : connections.
> :
> :cheers
> : simon
>
> I figured out another reason why linux boxes couldn't connect to
> me.
>
> I wasn't running keep state on incoming traffic, only outgoing.
> That means the keep state didn't have the initial SYN packet from an
> outside host making a connection into me. No initial SYN, no window
> scaling info.
>
> My current pickup check is not quite sufficient, either. I have to
> check that the SYN was observed in both directions. Seeing just
> one of the SYNs may not be enough. I'll have to re-read the window
> scaling rules.
>
> Max, or anyone... do you happen to remember whether window scaling
> is negotiated the same for both directions or whether each
> direction in a TCP connection can use a different scaling factor?
The latter, wouldn't make much sense if your peer could dictate a scaling
factor.
The wscale for the other direction is set here:
http://fxr.watson.org/fxr/source/net/pf/pf.c?v=DFBSD#L3810 ff. Note that
this is in the state tracking already, we are looking at the first packet
from src and TH_SYN is set (-> this is the SYN+ACK) from the peer.
dst.wscale was already set when the state was created:
http://fxr.watson.org/fxr/source/net/pf/pf.c?v=DFBSD#L2727 (where src is
the other end sending the initial SYN).
At least this is the way things behave when you have "flags S/SA".
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the Kernel
mailing list